Capsule Blog

The Agentic Supply Chain: You Installed More Than You Think

Bar Kaduri
July 14, 2026

In 2025, an attacker published a package on npm called postmark-mcp, a near-exact replica of the legitimate connector that lets AI agents send email through Postmark. Developers who installed it got exactly what they expected: for fifteen versions the package worked flawlessly, quietly accumulating downloads and trust. Then, on September 17, version 1.0.16 shipped with one extra line of code that silently BCC'd every outgoing email - password resets, invoices, internal correspondence - to the attacker's domain. By the time the package was discovered and removed, 1,643 installations had been leaking their mail.

That was the first confirmed malicious MCP server, and there was nothing novel about how it worked. Attackers have been slipping poisoned packages into software supply chains for decades; what changed is the target.

What a supply chain is, and why attackers love it

Your software supply chain is everything you didn't write but run anyway: the packages you install, the packages those packages install, the container images, the build tools, the model weights you download. Modern software is mostly assembled rather than written, which is what makes it fast to build - and it's also the deal you sign, because every component you assemble extends your trust to a stranger who maintains it.

A supply chain attack exploits that trust. Instead of breaching your systems directly, the attacker compromises something you willingly install. It's efficient: poison one popular package and you compromise every downstream user at once. The Shai-Hulud worm proved this at scale in late 2025, compromising over 796 npm packages by stealing maintainer tokens and using them to publish more infected versions of itself.

None of this is news to security teams. What is news is what agents did to the blast radius.

The agentic supply chain: same risks, more doors

AI agents didn't replace the old supply chain; they inherited it whole, and then added new layers of third-party trust on top of it.

1. Dependencies, but deeper. For our State of AI Agent Security report, we audited the lock files of major AI/agent projects against comparable non-AI platforms. The AI projects declared a median of 29 direct dependencies that resolved to 271 installed packages - a 14.6x fan-out, against 2.3x for the non-AI baseline. LangChain is the extreme case, where 7 declared dependencies expand to 271 resolved packages, a 39x fan-out. The agentic AI supply chain now moves more than a billion package downloads a month, and every one of those packages runs in the agent's process, with the agent's shell access, database credentials, and API keys.

Figure 1 · Dependency fan-out: what AI/agent projects declare vs what they actually run, compared to non-AI platforms.

2. MCP servers. MCP servers are the connectors that give agents hands - email, databases, cloud APIs. Of 572 agent config files we found on GitHub, zero pinned a version, and 1,760 configs launch servers with npx -y, which auto-installs the latest version and auto-confirms it on every run. Pinning matters because it decides what happens the day a package turns malicious, whether through a fake replica like postmark-mcp or a compromised maintainer in a Shai-Hulud-style takeover: a pinned config keeps running the version you reviewed, while an unpinned one pulls the poisoned release the moment it's published. That's how postmark-mcp got its 1,643 victims - nobody chose to install version 1.0.16, their agents fetched whatever came next.

3. Skills. Skills are instruction files agents read and follow - and instructions turn out to be a payload. We scanned 206,435 skill files from GitHub and published the full findings in our latest skills blog. For the supply chain story, two campaigns stand out:

  • ClawHavoc. In late January 2026, ten coordinated accounts flooded the ClawHub skills registry with hundreds of malicious skills - by one count over 800 at peak. Each one used a fake dependency prompt to trick the agent into executing a base64-encoded reverse shell to a command-and-control server, delivering the Atomic Stealer infostealer to macOS machines. Months after disclosure, we found 662 of those skills still live in the registry, and the C2 infrastructure still online - its TLS certificate was reissued in April 2026 with ten years of validity. The campaign has gone dormant, but the trap it left behind is still armed.
  • 26medias. A publisher's skills instructed the installing agent - in plain English, no shell commands, no encoded blobs - to store a Solana private key in plaintext and route crypto payments through an attacker-controlled wallet. The malicious payload was the natural-language instruction itself. Scanners looking for suspicious code find nothing, because there is no code.

4. Model weights. The model your agent runs on is a downloaded file like any other dependency, and the format much of the ecosystem still uses to store it - Python's pickle - can execute arbitrary code embedded inside the file the moment you load it. Despite safer alternatives existing for years, 44.9% of popular Hugging Face models still ship as pickle files, and pickle-format models are downloaded about 2.1 billion times a month (Kellas et al., "PickleBall," ACM CCS 2025). Attackers already exploit this: JFrog researchers found more than 100 models on Hugging Face with malicious code hidden in their pickle files. Hugging Face scans every upload with a tool called Picklescan to catch exactly this, but in 2025 alone researchers disclosed three critical ways to slip a malicious model past it - so a clean scan is not a guarantee of a clean model. Downloading a model means running someone else's code, and most teams still don't treat it that way.

5. Slopsquatting. This layer is unique because the weakness starts inside your own tools. A USENIX Security 2025 study by Spracklen et al., which analyzed 576,000 AI-generated code samples across 16 models, found that AI coding assistants hallucinate package names at rates reaching 21.7% for open-source models, and that 43% of those invented names recur across sessions. That makes them predictable - an attacker can register the packages your AI will recommend next, before it recommends them. It's typosquatting where the machine makes the typo for you, and it has already been exploited in the wild: ReversingLabs found fake PyPI packages impersonating Alibaba Cloud AI services, hiding payloads inside pickle model files, that pulled 1,600 downloads in under 24 hours.

Figure 2 · The agentic supply chain attack surface: four component layers feed the agent; compromising any one inherits everything the agent can do.

Why the blast radius is different now

A poisoned package in a traditional app steals what that app can reach. A poisoned component in an agent stack lands inside something that holds your API keys, reads your email, executes shell commands, and acts autonomously. Our audit of the 31 most popular MCP servers found 84% lack confirmation gates before destructive operations, and of 206,435 skills we scanned, only 3.6% require human approval before acting. A compromised component in this stack doesn't just get access to your systems; it gets agency over them.

What to do about it

The fixes here are unglamorous, which is exactly why they work:

  • Pin everything. Use exact versions for packages and MCP servers, and remove npx -y from agent configs - an auto-updating, auto-confirming install is a backdoor waiting for its own version 1.0.16.
  • Verify before the AI installs. Treat every package name an assistant suggests as unverified until you've confirmed it exists and is legitimate, because slopsquatting only works on teams that don't check.
  • Review skills like code, including the prose. The 26medias campaign shows the instructions themselves can be the payload, so a skill that tells your agent to handle keys or move money is malicious regardless of whether it contains a single shell command.
  • Reject pickle in favor of SafeTensors. SafeTensors loads weights without executing code, and there is no good reason for a new project to accept pickle-format models.
  • Gate the destructive actions. An agent whose actions are assessed before they execute - whether by a human who must approve them or by an automated check that inspects each one - turns a compromised component from an incident into an alert. Sending email, deleting data, and spending money should never happen unexamined.
  • Give agents least privilege. A compromised dependency inherits whatever the agent can do, so the less the agent can do, the less the attacker gets.

How Capsule Security Can Help

Every attack in this post passed the checks people actually ran; the compromise arrived after the component was approved. That's the gap Capsule Security closes: a runtime security platform for AI agents that discovers the agents running across your organization, maps what each one can reach, watches their behavior live, and interrupts unsafe actions mid-execution - with no changes to your code, agents, or architecture. An email that suddenly BCCs an unknown domain gets stopped as it happens, not discovered in next quarter's audit. 

Book a meeting with us today!

The numbers in this post are a small slice of our "State of the Agentic AI" report, which goes much deeper into how agents are being built, attacked, and defended. Download the full report here.

Read more articles

Article

Guardian Agent: Shipping a Useful Agentic Experience

Usefulness and governance aren't a trade-off. Guardian Agent runs locally in the browser, keeps every credential server-side, and turns an afternoon of report-building into a single prompt.

Yarin Sasson
July 7, 2026
Article

Your AI Agent Inventory is Lying to You: The Rise of the "Inline Agent"

Discover the rise of 'Inline Agents' - the shadow IT of the AI era. Learn how Capsule Security uncovers undeclared AI agents hiding in your raw logs.

Guy Bidkar
July 1, 2026
Research

We Analyzed 206,435 AI Agent Skills. Here's What We Found.

Our analysis of 206,435 AI agent skills reveals a rapidly growing software supply chain vulnerable to natural language payloads and dangerous capability combinations. Read the report to understand how these skills bypass traditional security controls and learn how Capsule protects your organization by securing the agent runtime.

Bar Kaduri
June 22, 2026
Article

Mitigating the Agentic AI Threat: What Security Leadership Needs to Prioritize

The theoretical phase of agentic AI security is over—the attack surface is real and the incidents are documented. This post breaks down the defensive architecture taking shape in response: Meta's Agents Rule of Two, deterministic enforcement hooks, identity governance for non-human agents, and the questions security leaders need to be asking right now.

Bar Kaduri
June 16, 2026
Article

OWASP State of Agentic AI Security and Governance 2026: What Changed, and What It Means

A year after the first edition, plausible agentic AI threats now carry CVEs and real incidents. What changed in the OWASP State of Agentic AI Security and Governance 2026.

Bar Kaduri
May 31, 2026
Article

Every agent needs a "stop". We're standardizing it.

The industry standardized how agents talk, but never how to stop one mid-action. Capsule is helping change that through the Agent Control Standard, with hooks.security as the developer-facing companion.

Bar Kaduri
May 27, 2026
Research

The Agentic AI Threat Landscape Has Crossed a Threshold

The security risks of AI agents are no longer theoretical. This blog examines the active threat landscape facing agentic AI in 2026, from prompt injection and supply chain attacks against MCP and skill registries to the governance gap created by vibe coding and Shadow AI.

Bar Kaduri
May 24, 2026
Article

The Rise of Guardian Agents: Securing the Agentic AI Ecosystem

Guardian agents are emerging as a critical security layer for the agentic AI era. As enterprises adopt AI agents that execute tools, handle sensitive data, and operate inside real workflows, human approval loops no longer scale. Guardian agents solve this by supervising other agents in real time: monitoring actions, enforcing policy, and blocking risky behavior before execution.

Lidan Hazout
May 7, 2026
Research

CurseChain: How Hidden README Comments Trick Cursor Into Stealing - and Spreading - Your SSH Keys

Capsule found two Cursor IDE vulnerabilities that let hidden prompt-injection instructions in referenced files steal developers’ SSH keys and contaminate future unrelated projects, causing zero-click or one-click exfiltration even when the attacker ships no malicious code.

Bar Kaduri
April 29, 2026
Research

The State of AI Agent Security 2026

Capsule Security’s State of AI Agent Security 2026 report is the largest independent audit of AI agents to date, showing that the ecosystem is rapidly shipping publicly exposed, weakly guarded, highly connected agents with recurring misconfigurations, near-absent runtime controls, widespread prompt-injection risk, expanding supply-chain exposure, and active malicious campaigns still propagating through agent skill and tool registries.

Bar Kaduri
April 27, 2026
News

Capsule Security Raises $7M to Prevent AI Agents from Going Rogue in Runtime: Intent is the New Perimeter

Capsule is launching a runtime security platform for the agentic AI era, built to monitor and stop autonomous agents that can bypass traditional guardrails, misuse legitimate access, and create a new class of enterprise security risk.

Naor Paz
April 13, 2026
Article

Why MCP Gateways are a Bad Idea (and What to Do Instead)

MCP gateways secure only one protocol and create blind spots, while runtime hooks plus approved MCP registries secure the full agent runtime where real risk lives.

Lidan Hazout
April 12, 2026
Article

ClawGuard: Open Source Security for the Agentic Era

ClawGuard was built to stop dangerous agent behavior at the intent level before execution, and NVIDIA’s NemoClaw reinforces that need by securing the runtime environment from the infrastructure side.

Lidan Hazout
April 12, 2026
Research

PipeLeak: The Lead That Stole Your Database - Exploiting Salesforce Agentforce With Indirect Prompt Injection

Capsule research team discover a critical prompt injection vulnerability in Salesforce Agentforce that allows attackers to exfiltrate CRM data through a simple lead from a form submission. No authentication required.

Bar Kaduri
April 9, 2026
Research

ShareLeak: Taking the Wheel of Microsoft’s Copilot Studio (CVE-2026-21520)

The Capsule research team discovered a high severity indirect prompt injection vulnerability in Microsoft Copilot Studio that enables attackers to exfiltrate sensitive data through external SharePoint form.

Bar Kaduri
April 9, 2026